Equifax breach just another page in the sordid history of credit bureaus

Pete Gerardo

The Mortgage Reports Contributor

The “Big 3” credit bureaus: With great power comes a history of questionable behavior

On September 7, millions of Americans awoke to the news that (once again) their sensitive personal and financial information might be in the hands of cyber-criminals.

The latest data breach occurred at Equifax, one of the “Big 3” credit reporting agencies (TransUnion and Experian are the other two), between May and July, exposing the data of about 143 million U.S. consumers.

Although Equifax claims the criminals didn’t access its “core consumer or commercial credit reporting databases,” the hackers did gain access to the social security numbers, birthdates and addresses of a huge number of consumers, as well as the credit card numbers of 200,000 Americans and dispute-related documentation for another 180,000 people.

For now, the breach is generating more questions than answers, as government officials and IT professionals wonder whose data has been compromised, how hackers penetrated the company’s network, why Equifax waited a month to go public, and why three top Equifax executives sold $1.8 million in company stock immediately after the breach was discovered.

However, what many consumers may be wondering is how and why this data was collected in the first place (without their permission) by an organization they know almost nothing about.

Just who are the “Big 3?” What are they doing with so much sensitive information, and can they be trusted to do a better job of safeguarding it in the future?

The bureaus were born to protect creditors

You may know nothing about the credit bureaus, but if you have a credit history, they know a lot about you. And if you have a credit card or a mortgage, or you’ve ever borrowed money from a financial institution, you have a credit history.

There are many credit bureaus worldwide, but the “Big 3” are the biggest and most powerful. Each company manages about 190 million credit files, and the vast majority of lenders use one or more of them to assess the creditworthiness of potential borrowers.

Though credit bureaus don’t make lending decisions, the credit scores and other information that they sell to lenders usually determine who will get a loan—and at what interest rate.

In short, credit bureaus aren’t in the business of lending money, but of gathering and selling “intel” to the companies that do.

Since they first appeared in the 1800s, their mission has been to protect merchants and lenders by identifying consumers with good and bad payment histories.

Equifax, for example, started life as a Tennessee grocery store run by Guy Woolford, who assembled lists of deadbeat customers and (later) sold them to other local merchants.

The business proved so lucrative that in 1899, Guy and his brother Cator founded the Retail Credit Company. By the 1920s, the firm had offices throughout the U.S. and Canada, and by the 1960s, it had information on millions of Americans. (The company changed its name to Equifax in 1979, which derives from "equitable factual information").

Experian and TransUnion have similar histories.

In the 1960s, Experian (then TRW Information Systems) was the consumer credit information arm of the defense contractor TRW. It entered the U.S. credit business after being purchased by U.K.-Based CCN Systems in 1996.

TransUnion was once a division of a company whose main focus was manufacturing. It entered the credit reporting business after it was spun off from the parent company in 2005.

A history of bad behavior

One of the earliest—and most infamous—commercial credit bureaus was a New York-based “mercantile agency” founded by Lewis Tappan, which eventually became Dun & Bradstreet.

In the 1840s, the agency employed hundreds of “correspondents” (spies) who used any and all means to dig up dirt on prospective borrowers, mostly local merchants and businessmen.

Here’s how a contemporary newspaper described their activities:

“Private Detectives Watching Business Men Day and Night—Spies Around the House and in the Kitchen—Questioning a Man’s Tradesmen and Pumping his Domestics—The Family History of Business Men and Their Wives Made a Subject of Daily Record, &c., &c.”

(At one time, Presidents Abraham Lincoln, Chester A. Arthur, Grover Cleveland and William McKinley worked as credit bureau correspondents.)

Eventually, the credit reporting agencies began relying on more trustworthy sources for their information (e.g., financial documents) but they didn’t cease to pry and spy.

In addition to interviewing friends and coworkers, the bureaus “collected news of bankruptcies, divorces, lawsuits, and arrests. They gathered clippings from newspapers and magazines. They recorded how many rooms were inside any one consumer’s home…. they sought out prejudicial information about moral character, sometimes judging creditworthiness by what happened in the bedroom.”

By the late-1960s, Equifax had a reputation for selling data to anyone who wanted it, regardless of whether it was accurate.

The company was known to collect details about everything from people’s marital woes to their sex lives to their political activities—some of which was false. The company was even rumored to award bonuses to employees who found the most negative information about consumers.

This type of behavior led Congress to pass the Fair Credit Reporting Act (FCRA) in 1970, but unfortunately, this didn’t put an end to some credit bureaus’ unethical and error-prone practices.

In 1991, for example, it was discovered that Experian (then TRW) had mistakenly reported that thousands of people living in a Vermont town had not paid their property taxes. Before long, similar cases began popping up throughout the Northeast, forcing the deletion of thousands of liens against these property owners.

A slew of lawsuits were filed against TRW, claiming sloppy procedures for creating credit files, a lack of response to consumer complaints and the re-reporting of previously deleted (and incorrect) data. All of the cases were settled out of court.

In response, TRW created a database known as the Constituent Relations Information Systems (CRIS) for the purpose of collecting personal information on thousands of politicians who had expressed an opinion about the company.

Most recently, the Consumer Financial Protection Bureau (CFPB) imposed multi-million-dollar fines on TransUnion and Equifax after an investigation discovered that the companies had deceived consumers about their credit reports and the fees charged for them.

The CFPB found that the two bureaus had misrepresented the credit scores they provided to consumers, falsely telling them that the reports they received were the same ones that lenders received. The CFPB also determined that the bureaus didn’t properly disclose to consumers that, after a seven- to 30-day trial period, those who signed up to get a free (or $1) credit report would be enrolled in a subscription program that cost $16 or more a month.

The Fair Credit Reporting Act

The Fair Credit Reporting Act was the first legislation to protect consumers dealing with the credit reporting agencies. The FCRA gives you the right to:

(With the passage of the Fair and Accurate Credit Transactions Act of 2003, consumers now have a right to one free copy of their credit report from each of the Big 3 agencies every year.)

Where do bureaus get their information?

The growth of credit bureaus coincided with, and helped fuel, the explosion of consumer credit (and credit cards) in the 1960s and 1970s. Before then, credit cards were relatively rare because extending credit to individual borrowers was a high-risk affair.

At one time, it was fairly easy for people to “max out” a credit card or default on a loan, and then apply for credit with another company before anyone learned of their bad credit history.

Today, computerization and digital communications allow lenders to access credit reports instantaneously. But while the speed of communication has accelerated, the type of information included in the typical report—and the sources of that information—hasn’t changed much over the last few decades.

A lot of data is acquired from government records. For example, information about bankruptcies, tax liens and foreclosures can be readily accessed via the court systems. Other personal information, including social security numbers, addresses, birth dates, employment histories, etc., is also a matter of public record.

However, most pertinent financial information comes from the lenders with whom you’ve done business.

If you’ve borrowed money, odds are high that the credit bureaus know the details of those transactions, including the type of loan, the current balance, minimum payments, any amounts past due, etc.

But this information isn’t always accurate.

In 2015, for example, a Federal Trade Commission (FTC) study of the U.S. credit reporting industry found that five percent of consumers had errors on one of their three major credit reports—mistakes that could cause them to pay more for products such as auto loans and insurance.

How the "Big 3" calculate your credit scores

Accurate or not, all this data (and more) is used by the credit bureaus to create their best-known product: the credit score. The most commonly used credit score is the three-digit FICO score, which was developed by the Fair Isaac Corporation, and ranges from a low of 300 to a high of 850.

Fair Isaac’s calculation formula is a trade secret, so it’s impossible to know how fair and rationale the scores really are.

What is known is that the FICO score is based on five data categories that are each assigned a relative importance (“weight”). The categories and weights are:

Your payment history (35%)

The amount owed (30%)

The length of your credit history (15%)

New credit for which you’ve applied (10%)

The type of credit used (10%)

Data privacy and security

Although the FCRA was one of the first data privacy laws in the world, it’s a bit of an antique compared with some of the data protection and privacy laws that have been introduced elsewhere since then, particularly in the European Union (EU).

For example, the EU’s new General Data Protection Regulation (GDPR) offers EU citizens very strong privacy rights (including the right to have certain data removed from public records), and imposes strict data breach notification rules on companies doing business in the EU.

In the U.S., however, the lack of an explicit Constitutional right to privacy, combined with a tradition of “laissez faire” economics, has left the nation without a single, robust federal law like the GDPR.

Instead, the U.S. has tended to rely on a patchwork of ad hoc regulations, state laws and industry self-regulation.

This may change in the wake of the Equifax data breach … or it may not.

On the one hand, some members of Congress have long advocated for a national data breach standard, as well as stricter standards for protecting sensitive consumer information, including Virginia Senator Mark Warner, co-founder of the Senate Cybersecurity Caucus.

Many experts believe that, despite the “bad PR” generated by the latest data breach, it’s unlikely that new data privacy and cybersecurity laws will be enacted soon, especially while industry-friendly Republicans control both houses of Congress.

In the short term, therefore, the best way for Americans to limit any damage from the Equifax breach, according to the FTC, is to contact each of the “Big 3” to request an immediate credit freeze. This will restrict access to your credit report, making it more difficult for identify thieves to open new accounts in your name.

Equifax is also offering consumers a year of free credit monitoring.

Until and unless new data protection laws are passed, consumers have few other options for protecting their data from increasingly sophisticated cyber-criminals who take advantage of under-prepared organizations such as Equifax.

Pete Gerardo is a business writer whose work has appeared in The New York Times and numerous trade magazines. Connect with Pete on LinkedIn.

The information contained on The Mortgage Reports website is for informational purposes only and is not an advertisement for products offered by Full Beaker. The views and opinions expressed herein are those of the author and do not reflect the policy or position of Full Beaker, its officers, parent, or affiliates.